PatchSiren cyber security CVE debrief
CVE-2026-33380 Grafana CVE debrief
CVE-2026-33380 is a medium-severity vulnerability in Grafana's SQL Expressions feature. An authenticated attacker can exploit this vulnerability to read arbitrary files from the Grafana server's filesystem. This vulnerability is only exploitable if the sqlExpressions feature toggle is enabled.
- Vendor
- Grafana
- Product
- Grafana OSS
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-06-17
Who should care
Grafana users with the sqlExpressions feature toggle enabled should be aware of this vulnerability and take steps to mitigate it.
Technical summary
CVE-2026-33380 has a CVSS score of 6.3 and is classified as MEDIUM severity. The vulnerability is caused by a weakness in Grafana's SQL Expressions feature, which allows an authenticated attacker to read arbitrary files from the server's filesystem. The vulnerability is tracked under CWE-552.
Defensive priority
medium
Recommended defensive actions
- Update to a patched version of Grafana: 11.6.14, 12.2.8, 12.3.6, 12.4.3, or 13.0.1
- Disable the sqlExpressions feature toggle if not in use
Evidence notes
Evidence from NVD and Grafana's security advisory confirm the existence and details of this vulnerability.
Official resources
-
CVE-2026-33380 CVE record
CVE.org
-
CVE-2026-33380 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-33380 was published on 2026-05-13T20:16:20.697Z and modified on 2026-06-16T19:33:18.130Z.